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IN THE CLAIMS 

What is claimed is: 

1 1 . A system for authenticating a subject residing in a subject domain on a network to a 

2 server application residing in a server domain on the network, wherein an authentication 

3 mechanism residing in an authentication domain on the network affects the service provided by 

4 the server application, the system comprising: 

5 a client for communicating with other components of the system and for authenticating 

6 the subject to other components of the system by providing a client name 

7 assertion on behalf of the subject, wherein said client also resides in the subject 

8 domain; and 

9 a protocol proxy for communicating between said client and the authentication 

ICD mechanism and for authenticating said client based on said client name assertion, 

j| for obtaining from the authentication mechanism credentials for said client to 

ft access the server application, and for creating from said credentials an 

IB authentication name assertion allowing said client to access the server application. 

:L1 2. The system of claim 1, wherein: 

42 the subject is non-human and said client is integrated into the subject; and 

;7$ said client gathers subject credentials for the subject and communicates said subject 

|«4 credentials to said protocol proxy. 

1 3. The system of claim 1 , wherein a plurality of the authentication mechanisms are present 

2 on the network, and the system further comprising: 

3 an agent for communicating with other components of the system and for interacting with 

4 said client to chose an appropriate authentication mechanism from among said 

5 plurality of the authentication mechanisms, wherein said agent resides in an agent 

6 domain on the network. 
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4. The system of claim 3, wherein said client interacts with said protocol proxy to determine 
a specification of the authentication mechanism and said client communicates said specification 
to said agent. 
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1 5. The system of claim 3, wherein said client includes a callback mechanism for 

2 determining said appropriate authentication mechanism for the server application from among 

3 said plurality of the authentication mechanisms. 

1 6. The system of claim 5, wherein said callback mechanism interacts with the subject to 

2 determine said appropriate authentication mechanism. 

1 7. The system of claim 5, wherein said callback mechanism accesses a configuration 

2 repository to determine said appropriate authentication mechanism. 

1 8. The system of claim 3, wherein said agent includes a mechanism resolver for determining 

2 from said plurality of the authentication mechanisms a subset of zero or more of the 

3 authentication mechanisms which affects the service provided by the server application. 

1 9. The system of claim 8, wherein said agent further includes an authentication agent for 

2 brokering between said client and said mechanism resolver. 

1 10. The system of claim 8, wherein said agent further includes a mechanism repository for 

2 storing information about said plurality of the authentication mechanisms and said mechanism 

3 resolver queries said mechanism repository when determining said subset of zero or more of the 

4 authentication mechanisms which affects the service provided by the server application. 

1 11. The system of claim 10, wherein said agent further includes a mechanism registrator for 

2 the authentication mechanism to register in said mechanism repository by adding information 

3 about itself. 

1 12. The system of claim 11, wherein said mechanism registrator is further for the 

2 authentication mechanism to update itself in said mechanism repository by changing information 

3 about itself 
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1 13. The system of claim 4, wherein said protocol proxy resides in said agent domain on the 

2 network. 

1 14. The system of claim 1 ? wherein said protocol proxy resides in the authentication domain 

2 on the network. 

1 15. The system of claim 1, wherein said protocol proxy uses a standard security protocol to 

2 communicate with said client and a mechanism-specific protocol to communicate with the 

3 authentication mechanism. 

1 17. The system of claim 1, wherein at least one of said client and said protocol proxy 
authenticates using SRP protocol 

SI 18. The system of claim 1 , wherein said protocol proxy produces a signed name assertion. 

^1 19. The system of claim 18, wherein said signed name assertion is contained in a S2ML 

132 document. 

j«l 20. The system of claim 18, wherein said protocol proxy further produces a signed name 

u2 entitlement. 

1 21 . The system of claim 1 , wherein said protocol proxy uses a proxy name assertion to 

2 authenticate itself to the client. 

1 22. The system of claim 1 ? further comprising an adapter for receiving said authentication 

2 name assertion, recreating said credentials, and permitting said client to access the server 

3 application based on said credentials. 

1 23. A method for authenticating a subject residing in a subject domain on a network to a 

2 server application residing in a server domain on the network, wherein an authentication 
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3 mechanism residing in an authentication domain on the network affects the service provided by 

4 the server application, the method comprising the steps: 

5 (a) authenticating the subject to a protocol proxy with a client by providing subject 

6 credentials on behalf of the subject; 

7 (b) obtaining a name assertion from said protocol proxy via the authentication mechanism 

8 which will allow said client to access the server application, thereby mediating 

9 between said protocol proxy and the authentication mechanism to permit the 

10 subject to access the server application via said client; 

1 1 (c) creating an authentication name assertion with said protocol proxy based on said 

12 subject credentials which will allow said client to access the server application; 

13 (d) communicating said authentication name assertion to said client; and 

r§4 (e) communicating said authentication name assertion to the server application. 

rU 1 24. The method of claim 23, wherein the subject is non-human and said client is integrated 

iif.2 into the subject, and the method further comprising: 

j"{3 gathering said subject credentials with said client for the subject; and 

« 4 communicating said subject credentials to said protocol proxy. 

j^l 25. The method of claim 23 , wherein a plurality of the authentication mechanisms are present 

02 on the network, and the method further comprising: 

3 interacting between said client and an agent to chose an appropriate authentication 

4 mechanism from among said plurality of the authentication mechanisms, wherein 

5 said agent resides in an agent domain on the network. 

1 26 . The method of claim 25 , further comprising: 

2 interacting between said client and said protocol proxy to determine a specification of the 

3 authentication mechanism; and 

4 communicating said specification with said client to said agent. 
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1 27. The method of claim 25, further comprising determining an appropriate authentication 

2 mechanism for accessing the server application from among said plurality of the authentication 

3 mechanisms. 

1 28. The method of claim 27, further comprising interacting with the subject to determine said 

2 appropriate authentication mechanism. 

1 29. The method of claim 27, further comprising accessing a configuration repository to 

2 determine said appropriate authentication mechanism. 

1 30. The method of claim 27, further comprising: 

Q 2 (f) resolving from said plurality of the authentication mechanisms a subset of zero or 

m 3 more of the authentication mechanisms which affects the service provided by the 

| ^ 4 server application. 

1 31. The method of claim 30, wherein said agent further includes an authentication agent, and 

2 the method further comprising: 

5 p 3 brokering between and authentication agent and said client in said step (f). 

0 1 32. The method of claim 30, wherein said agent domain further includes a mechanism 

2 repository, and the method further comprising: 

3 storing information about said plurality of the authentication mechanisms in said 

4 mechanism repository; and 

5 querying said mechanism repository in said step (f). 

1 33. The method of claim 32, further comprising registering the authentication mechanism in 

2 said mechanism repository by adding information about the authentication mechanism. 

1 34. The method of claim 25, wherein said protocol proxy resides in said agent domain on the 

2 network. 
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1 35. The method of claim 23 , wherein said protocol proxy resides in the authentication 

2 domain on the network. 

1 36. The method of claim 23, wherein said protocol proxy uses a standard security protocol to 

2 communicate with said client and a mechanism-specific protocol to communicate with the 

3 authentication mechanism. 

1 37. The method of claim 23, wherein at least one of said client and said protocol proxy 

2 authenticates using SRP protocol. 

1 38. The method of claim 23 , wherein said protocol proxy produces a signed name assertion. 

39. The method of claim 38, wherein said signed name assertion is contained in a S2ML 

5^2 document. 

C| 40. The method of claim 38, wherein said protocol proxy further produces a signed name 

;L2 entitlement. 

^ 41 . The method of claim 23, wherein said protocol proxy uses a proxy name assertion to 

Q> authenticate itself to the client. 

1 42. The method of claim 23, further comprising an adapter, and the method further 

2 comprising: 

3 receiving said authentication name assertion with said adapter; 

4 recreating said credentials with said adapter; and 

5 permitting said client to access the server application based on said credentials. 



